The purpose of this notice is to inform you of the type of information (including personal information) that the Integrated Care Board (ICB) holds; how that information is used; who we may share that information with; and how we keep it secure and confidential.
This privacy statement only covers NHS Suffolk and North East Essex Integrated Care Board and does not cover any other organisations or organisations that can be linked to from this site.
Who we are and what we do
NHS Suffolk and North East Essex Integrated Care Board
Severalls Business Park
Information Commissioners Office (ICO) registration number: ZB340189
Data Protection Officer – Paul Cook (IG) – email: email@example.com
NHS Suffolk and North East Essex Integrated Care Board are responsible for implementing the commissioning roles as set out in the Health and Care Act 2022.
The ICB processes several different types of information:
- Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth
- Pseudonymised information – individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
- Anonymised – about individuals but with all identifying details removed
- Aggregated – statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use Pseudonymised / anonymised data for this purpose which will mean you would not be able to be identified from that information.
Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency
- Checking NHS accounts and services
- Working out what illnesses people will have in the future so that we can work with the local primary care services, community services and hospital services to make sure that patient needs are met
- Preparing performance reports about the services we commission
- Reviewing the care we commission to make sure it is of the highest standard
We will only use information that may identify you (known also as personal confidential data) in accordance with the: Data Protection Act 2018 – The Data Protection Act requires us to have a legal basis if we wish to process any personal information.
Therefore, as a commissioning organisation we do not routinely hold medical records or patient confidential data. There are some specific areas, however, because of our assigned responsibilities where we do hold and use personal information. In order to process that information, we will have met a legal requirement, in general this is where we have complied with one of the following:
- The information is necessary for facilitating direct healthcare for patients
- We have received consent from individuals to be able to use their information for a specific purpose
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
- We have special permission for health purposes (granted by the Health Research Authority Section 251)
- For the health and safety of others, for example to report an infectious disease such as COVID-19, meningitis or measles
Circumstances where we might need to use personal information
The areas where we use personal information are:
- Individual Funding Requests (IFR) – a process where patients and their GPs can request special treatments not routinely funded by the NHS
- Continuing Healthcare Assessments (a package of care for those with complex medical needs)
- The Medicines Management team work closely with the GP practices to support effective prescribing
- Social Prescribing Team
- Responding to your queries, concerns or complaints
- Incident investigations
- Assessment and evaluation of safeguarding concerns for individuals
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations
- To assess the needs of the general population
- Risk stratification
- Financial validation
In order to start operating as an Integrated Care System (ICS), SNEE ICB needs to be able to share the commissioning data with partners of their Integrated Care System. The ICB has agreed with NHS Digital that it can share commissioning data under a sub-license approach.
Each ICS partner organisation that requires a commissioning dataset, will be required to complete and sign-up to a sub-licensing agreement with terms and conditions.
The legal basis for sharing the data with ICS partners is as follows:
UKGDPR Article 6 (1) (e) and Article 9 (2) (h)
Onward sharing of the data by ICS partners (including sharing with data processors) is not permitted. Data must be segregated from other datasets and additional linkage is not permitted.
Current ICB sub-licencing agreements are in place with:
- East Suffolk and North Essex NHS Foundation Trust
- Essex Partnership University NHS Foundation Trust
- Norfolk and Suffolk NHS Foundation Trust
- West Suffolk NHS Foundation Trust
- Essex County Council
- Suffolk County Council
As further agreements with ICS partners are agreed, they will be added to this list.
The SNEE ICB IG Team will hold the signed ICB sub licensee agreements.
Population Health Management (PHM) – is helping Suffolk and North East Essex Integrated Care System (ICS) understand our current, and predict our future, health and care needs so we can take action in tailoring better care and support with individuals, design more joined up and sustainable health and care services, and make better use of public resources.
We use historical and current patient level data to understand what factors are driving poor outcomes in different population groups, we then design new proactive models of care which will improve health and wellbeing. This could be by stopping people becoming unwell in the first place, or, where this isn’t possible, improving the way the system works together to support them.
This only uses pseudonymised data i.e. where information that identifies you has been removed and replaced with a pseudonym. This will only ever be re-identified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice or health/care provider will be able to see your personal information in order to offer this service to you.
In order to carry out this data linkage, your pseudonymised data will be passed to NHS North of England Commissioning Support Unit (NECS), part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses. These linked datasets will also be shared securely with Optum Health Solutions, who act as Data Processor for the ICB to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.
PHM is a partnership approach across the NHS and other public services, the outputs of the PHM programme will be shared across these organisations. All have a role to play in in addressing the interdependent issues that affect people’s health and wellbeing.
Learn more about PHM in Suffolk and north east Essex.
Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The Integrated Care Board also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.
Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score.
There is currently section 251 support (CAG 7-04(a)/2013) in place for the Integrated Care Board to be able to receive data with the NHS Number as an identifier from both NHS Digital and your GP Practice to enable this work to take place. The Data is sent directly into a risk stratification tool from NHS Digital /GP Practices to enable the data to be linked and processed as described above. Once the data is within the tool, Integrated Care Board staff only have access to anonymised or aggregated data.
GPs are able to identify individual patients from the risk stratified data when it is necessary discuss the outcome and consider preventative care.
What does ‘section 251’ support allow?
The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be transferred to an applicant without the discloser being in breach of the common law duty of confidentiality.
Changes to Data Controller Organisations for Risk Stratification
As of 1st July 2022, Clinical Commissioning Groups were replaced with Integrated Care Boards under the Health and Care Act 2022. The Confidentiality Advisory Group (CAG) have confirmed that an administrative amendment was supported to allow the processing of patient confidential data in line with the new Act by the Integrated Care Boards and data processors on behalf of GPs.
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How your data is used
Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital. It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.
Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
You have a choice
You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.
Will choosing this opt-out affect your care and treatment?
No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What do you need to do?
If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.
To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters
All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff will receive appropriate training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.
We take relevant organisational and technical measures to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption and information is transferred safely and securely.
The ICB does not transfer personal confidential information overseas.
Under the Data Protection Act 2018, the ICB is required to register with the Information Commissioner’s Office detailing all purposes for which personal identifiable data is collected, held and processed.
The ICB has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
In Health and Care, all organisations apply retention schedules in accordance with the NHS Records Management Code of Practice 2021 which determines the length of time records should be kept.
We work with several other NHS and partner agencies to provide health and social care services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas.
We contract with other organisations to provide a range of services to us such as IT services, Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.
We ensure our external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Current external data processors:
Data Services for Commissioners Regional Offices (DSCRO) this is a regional secure service provided to the ICB by NHS Digital via North of England Commissioning Support Unit (NECSU).
Information may also be required to be shared for your benefit with other non-NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless it is to facilitate direct care or there are exceptional circumstances or a legal obligation such as;
- There is a risk of harm to someone or the wider community
- The prevention or detection of a serious crime
- Where we are required to do so by law
- Reporting some infectious diseases
- Prevention and detection of fraud – National Fraud Initiative (NFI)
If we are obligated to release information as described above, this will usually only be done with the approval of our Caldicott Guardian.
The ICB is party to several information sharing agreements which are drawn up to ensure information is shared in a way that complies with relevant legislation. These NHS and non-NHS organisations may include, but are not restricted to social services, education services, local authorities, police, and public health.
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at: firstname.lastname@example.org if you wish to make a request.
If you have any concerns about our use of your personal information, you can make a complaint to us at
Data Protection Officer (DPO)
Suffolk and North East Essex Integrated Care Board
Severalls Business Park
Or Email the DPO at: email@example.com
If you are not happy with the response, you can also complain to the Information Commissioners Office (ICO):
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.
Privacy Notice reviewed: March 2023
Information previously held by the CCGs
Information that has been held previously by Ipswich and East Suffolk, West Suffolk and North East Essex CCGs was transferred to NHS Suffolk and North East Integrated Care Board (ICB) on 1st July 2022. The ICB will become the new data controller. Any questions about the use of data (including patient data) by the ICB should be directed to firstname.lastname@example.org